-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-02:24.k5su                                       Security Advisory
                                                          The FreeBSD Project

Topic:          k5su utility does not honor `wheel' group

Category:       kerberos5
Module:         kerberos5/usr.bin/k5su
Announced:      2002-05-20
Credits:        jmallet@FreeBSD.org
Affects:        FreeBSD 4.4-RELEASE
                FreeBSD 4.5-RELEASE
                FreeBSD-STABLE prior to the correction date
Corrected:      2002-05-15 12:51:30 UTC (RELENG_4)
                2002-05-15 12:56:21 UTC (RELENG_4_5)
                2002-05-15 13:04:00 UTC (RELENG_4_4)
FreeBSD only:   YES

I.   Background

The k5su utility is a SU utility similar to su(1), and is used to
switch privileges after authentication using Kerberos 5 or the local
passwd(5) file.  k5su is installed as part of the `krb5' distribution,
or when building from source with MAKE_KERBEROS5 set.  Neither of
these are default settings.

II.  Problem Description

Historically, the BSD SU utility only allows users who are members
of group `wheel' (group-ID 0) to obtain superuser
privileges.  The k5su utility, however, does not honor this convention
and does not verify group membership if a user has successfully
authenticated.

k5su also lacks other features of su(1), such as checking for
password expiration, implementing login classes, and checking
for the target user's login shell in /etc/shells.

III. Impact

Contrary to the expectations of many BSD system administrators, users
not in group `wheel' may use k5su to attempt to obtain superuser
privileges.  Note that this would require knowledge of the root
account password, or an explicit entry in the Kerberos 5 `.k5login'
ACL for the root account.

IV.  Solution

Remove the set-user-ID bit from the k5su utility:

# chmod u-s /usr/bin/k5su

This will completely disable k5su.

Sites which wish to use Kerberos 5 authentication for SU and are
comfortable with its limitations may choose to leave the set-user-ID
bit enabled.  As of the correction date, FreeBSD (including the
upcoming 4.6-RELEASE) will install k5su if requested, but the
set-user-ID bit will not be enabled by default.  See also the
ENABLE_SUID_K5SU option in make.conf(5).

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path                                                             Revision
  Branch
- -------------------------------------------------------------------------
src/UPDATING
  RELENG_4                                                      1.73.2.67
  RELENG_4_5                                               1.73.2.50.2.12
  RELENG_4_4                                               1.73.2.43.2.12
src/etc/defaults/make.conf
  RELENG_4                                                      1.97.2.65
  RELENG_4_5                                                1.97.2.59.2.1
  RELENG_4_4                                                1.97.2.58.2.1
src/kerberos5/usr.bin/k5su/Makefile
  RELENG_4                                                      1.73.2.67
  RELENG_4_5                                                1.97.2.59.2.1
  RELENG_4_4                                                  1.1.2.2.2.1
src/share/man/man5/make.conf.5
  RELENG_4                                                      1.12.2.16
  RELENG_4_5                                                1.12.2.12.2.1
  RELENG_4_4                                                1.12.2.10.2.1
- -------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
Comment: FreeBSD: The Power To Serve

iQCVAwUBPOkdtFUuHi5z0oilAQFd1wP8CUxrBx+DJhQZqLpOocpF4yd8IWclz4Uu
8I8LT5RaWNKMrOt9FB6/jGthRFNqTL72XeDaezxT72IFSUHIpF9wI87aKNVDknPp
vQxh0Pr8/8EqvOLhvT6Hu/20xKrBZe2bht/lUQ/HxrgriaZteTAMfMYL653xgP5U
M+0f/mfSm3w=
=lTOo
-----END PGP SIGNATURE-----
